SOLVING RANDOM EQUATIONS IN GARSIDE 
GROUPS USING LENGTH FUNCTIONS 

MARTIN HOCK AND BOAZ TSABAN 

Abstract. We give a systematic exposition of memory-length al- 
gorithms for solving equations in noncommutative groups. This 
exposition clarifies some points untouched in earlier expositions. 
We then focus on the main ingredient in these attacks: Length 
functions. After a self-contained introduction to Garside groups, 
we describe length functions induced by the greedy normal form 
and by the rational normal form in these groups, and compare their 
worst-case performances. In the case of Artin's Braid group, we 
show that a better approach for estimating the minimal length in 
Artin generators is measuring the length in Birman-Ko-Lee (BKL) 
generators of the rational BKL form. This is proved theoretically 
for the worst case, and experimentally for the generic case. 



1. Solving random equations 

All groups considered in this paper are multiplicative noncommuta- 
tive groups, with an efficiently solvable word problem, that is, there is 
an efficient algorithm for deciding whether two given (finite products 
of) elements in the group are equal as elements of the group. Through- 
out this paper, G denotes such a group. 

Problems involving solutions of equations in groups have a long his- 
tory, and are nowadays also explored towards applications in public-key 
cryptography [13] • We mention some of the more elegant problems of 
this type. 

Problem 1 (Conjugacy Search). Given conjugate a,b G G, find x G G 
such that b = xax~ x . 

Problem 2 (Root Search). Given a G G, find x G G such that a = x 2 , 
provided that such x exists. 

Problem 3 (Decomposition Search). Let H be a proper subgroup of 
G. Given a,b G G, find x,y G H such that b = xay, provided that there 
exist such x, y. 
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We will discuss the meaning of the terms "given" and "find", ap- 
pearing in Problems [Tf|3j later. 

Problems [Ifj3j as well as many additional ones, can be stated gen- 
erally as follows. By free-group word w(ti, . . . , tf.) we mean a product 
of variables • ■ . . . • tf 1, for any choice of a positive integer n and 
elements ii, . . . , i n G {1, . . . , k} and e\, . . . , e n G {1, —1}, such that no 
cancellation is possible, that is, for each j — 1, . . . , n, if ij — ij+i, then 

Problem 4 (Solution Search). Fix Hi, . . . ,Hk < G and a free-group 
word w(tx, . . . , tfc +n ). Given parameters pi,...,p n G G and an ele- 
ment c G G, find x\ G Hi,...,Xk G H k such that c = w(xi, . . . , 
Pi,...,p n ), provided that there exist such X\ , . . . , Xfc . 

Problem |4] deals with the solution of a single solvable equation (with 
parameters). It can also be stated for systems of several equations. The 
algorithms proposed here easily generalize to cover this case, cf. [5]. 

1.1. Making the problems meaningful. It suffices to discuss Prob- 
lem m 

First, all given information must be coded in some compact form. For 
example, the subgroups H\, . . . , of G may be described by lists of 
generators and relations, all (the list, the generators, and the relations) 
of manageable length. 

Second, the problem may require that it be possible to find a solu- 
tion for each possible instance of the problem, or for a certain portion 
of the instances. Alternatively, the instances of the problem may be 
chosen according to a certain distribution D, and we may require that 
a solution can be found with a high-enough probability (a probabilistic 
model). 

Finally, by "find" we mean "find efficiently", i.e., use an algorithm 
with a feasible running time. Otherwise, in most cases of interest the 
problems are solvable. E.g., if G is a finitely generated group with 
solvable word problem, then we can solve Problem [4] by enumerating 
G k recursively, and trying all possible solutions until one is found. This 
algorithm always succeeds in a finite running time, but usually this 
running time is infeasible. 

In this discussion, all quantitative terms (compact, efficient, signifi- 
cant, etc.) have two natural interpretations: Concrete (e.g., of size less 
than 1GB) or asymptotic (e.g., polynomial in the size of the input). 

1.2. The probabilistic model. With an eye towards applications, we 
will always use the probabilistic version of the problems, where we wish 
to find (efficiently) a solution with a significant probability, provided 
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that the instances of the problem are chosen according to a certain 
known distribution D. 

More precisely, in Problem [4] we fix a distribution D on G k+n such 
that for each (xi, . . . , Xk,pi, ■ ■ ■ ,p n ) in the support of D, we have that 
x\ G Hi,...,Xk G Hk. An instance of the problem is generated as 
follows: A secret tuple (xi, . . . , x k ,Pi, ■ ■ ■ ,p n ) £ G k+n is chosen accord- 
ing to the distribution D, and we are given Pi, ■ ■ ■ ,p n and an element 
c G G equal to w(x\, . . . , Xk,Pi, ■ ■ ■ ,p n ) in G. We must then search for 
elements Xi G . . . , x k G such that with a significant probability, 
c = w(xi,...,x fc ,pi,...,p n ) in G. 

By peeling off known parameters on the left of the given word w(x±, 
. . . ,Xk,pi, ■ ■ ■ ,p n ), we may assume that it begins with a variable Xi 
(possibly inverted). If we are able to find Xi (with a significant proba- 
bility), we can treat it as a parameter henceforth, and proceed to the 
next leading variable after peeling off all parameters on the left. Con- 
tinuing in this manner, we find suggestions for all variables, and can 
check whether we obtained a solution. 

This reduces the general Problem [4] to the following (more difficult) 
problem. 

Problem 5 (Leading- Variable Search). Fix H±, . . . , Hk < G and a 

free-group word t\ ■ w(ti, . . . , £&+«). Given parameters pi, . . . ,p n E G 
and an element c — X\ • w(xi, . . . , Xk,pi, ■ ■ ■ ,p n ) G G such that X\ G 
H h ...,x k E H k , find xi. 

Problem [5] makes sense only in the probabilistic model, because in 
general there could be more than one solution to a given equation. 
In certain settings, it may be much more difficult than the original 
Problem HI 

Problem [5] can be reduced to the following neatly stated problem. 

Problem 6 (Factorization Search). Fix H < G. Given an element 
c = xy G G with x G H , find x. 

Problems [6] and [5] are equivalent: Given an instance of Problem [5j 
we can take x = x\ and y = w(xi, . . . ,x k ,Pi, ■ ■ ■ ,p n ) to get an instance 
of Problem [6j which if solved successfully, would give us X\. On the 
other hand, given an instance of Problem [6j we can take tu(ti) = t\ 
and the instance is x ■ w(y), so Problem [5] applies. 

In summary, any algorithm solving Problem|6]with a significant prob- 
ability, may be used to solve arbitrary equations (Problem [4]), though 
with smaller success probability. 

1.3. Decision problems. All mentioned problems also have a deci- 
sion version. For example, the Congugacy Problem is: Given a,b G G, 
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are they conjugate? From the probabilistic point of view, a solution to 
the search version also implies a solution to the decision version, in the 
following sense. 

Assume that A is an algorithm searching for solutions of equations of 
a certain type (e.g., b = xax' 1 ), and that its running time is bounded, 
say by a polynomial function of the length of its input. We define a 
decision algorithm A' with running time bounded by the same polyno- 
mial: Given an instance of the equation to be checked, run A on this 
instance for the expected polynomial time, and then terminate it if it 
did not terminate already. If a solution was found, the decision of A' 
is Yes. Otherwise, it is No. 

Assume that the instances of the equation are distributed according 
to some distribution E. This induces a distribution D on the solvable 
equations, by conditioning that the chosen equation be solvable. Let 
p be the probability that A finds a solution to (necessarily, solvable) 
equations distributed according to D. 

For each specific instance of the equation, A' is correct in probability 
at least p: If this instance has a solution, it will be found by A in 
probability p, in which case A' decides "Yes" . And if this instance has 
no solution, then in probability 1, A will not find a solution (simply 
because there is none), and A' decides "No". 

This can also be viewed as follows: Let q = 1 — p. The probability 
that A' comes up with a wrong answer is: 

P (Wrong decision) = 
= P(Decision = Yes | ^Solution) • P(^Solution) + 
+ P(Decision = No | 3Solution) • P(3Solution) = 
= • P(^Solution) + q ■ P(3Solution) = 
= q ■ P(3Solution). 

In particular, this probability is at most q, and the worst case is 
when P(3Solution) is 1, in which the oracle always produces solvable 
instances, and we are actually in the search version of the problem. 

This justifies, to some extent, restricting attention to search problems 
when working in the probabilistic model. 

2. The memory-length algorithm 

The potential usefulness of length functions for solving Problem [6] 
was identified in [ID] . This was extended in P to the following algo- 
rithm. 
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2.1. The memory-length algorithm. Let H < G be generated by 
elements of G. Assume that an efficiently computable func- 
tion £ : G — > M>o is given, such that £(abw) tends to be greater than 
£(w) for w G G, a, b G {ai, . . . , a m } ±:L . 

An instance of Problem[6]is chosen according to a certain distribution 
D, and we are given c which is equal in G to xy. 

Let x = djl<ijl ■ ■ • a}™ be a (shortest) expression of x in the generators 
di, . . . , a TO . By standard arguments, we may assume that n is known 

mm- 

The algorithm generates an ordered list of M sequences of length n, 
with the aim that with a significant probability, the sequence 

((ji,ei),(j2,e 2 ),...,(jn,en)) 

(which codes X) appears in the list, and tends to be among its first 
few members. It consists of the following steps: 

Step 1. For each j = 1, . . . ,m and each e G {1, —1}, compute a~ € c = 
aj £ xy, and give (j, e) the score £(aj e c). Keep in memory the M ele- 
ments (j, e) with the best (=lowest) scores. 

Steps s = 2,3, ... ,n. For each sequence ((ji, ei), . . . , (j s -i, e s -i)) out 
of the M sequences stored in the memory, each j s = 1, . . . , m, and each 
e s G {1,-1}, compute 

^7: s (cr • • • < ^)) = 'wcr • • • 

and assign this score to the sequence ex), . . . , (j s , e s )). Keep in 
memory only the M sequences with the best scores. 

The algorithm terminates after n steps, with M proposals for ((ji,£i), 
(j2,e 2 ), (j n ,e n )). 

It is not difficult to see that the complexity of this algorithm is 
n(n+Am+l)M/2 group operations and evaluations of £. It is interesting 
to note that this algorithm may also be useful for solving the following. 

Problem 7 ((Shortest) Subgroup Membership Search). Given a 1; . . . , 
a m G G and x G (oi, . . . ,a m ), find a (shortest possible) expression of x 
as a product of elements from the set {ai, . . . , a m } ±1 . 

2.2. Sufficiency for the general problem. Assume that the algo- 
rithm succeeds, with a significant probability, to have the leading ele- 
ment x in the final list. Then we have the following. 

If there is only one unknown variable in the equation (e.g., Problems 
[T]-[3]), then we can check (in running time M) all elements in the list 
and find one which is a solution to the problem. 
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In the general case (Problem [4J) there are several unknown variables, 





and we can iterate the algorithm by checking each suggestion in the list. 
The overall complexity is in principle M k . However, the suggestions 
for each variable are ordered more or less according to their likelihood, 
and it suffices to check, for some N -C M, the N most likely solutions. 
This reduces the complexity to N , or more precisely to N% ■ N2 ■ ■ ■ N*., 
where N^ is the number of elements required at the kth step, and it is 
likely that N( + x <C iVj for each i. 

2.3. Improvements. Certain simple modifications in the memory- 
length algorithm increase its success rates. We refer the reader to 
[15] for details. 

2.4. The length function. For this algorithm to be meaningful and 
useful, one must have a good and efficiently computable length func- 
tion on the group G. Our introduction of the memory-length algorithm 
suggests a natural model for comparing length functions for appropri- 
ateness to this method. We explore this below, after introducing a new 
proposal for a length function on the braid group. The braid group 
is, thus far, the most popular in applications related to cryptography 
[13]. Most of these cryptographic applications give rise to an equation, 
whose solution would imply the insecurity of the application. Thus, it 
is natural to look for good length functions on this group. See [13] for 
more details. 



We are going to consider two Garside structures on the braid group 
(to be defined). This section is an essentially self-contained introduc- 
tion to Garside groups, and may be skipped by readers who are familiar 
with this concept, and by readers who do not insist on understanding 
all details of this paper. 

Garside groups were introduced by Dehornoy and Paris [5], and later 
in a more general form by Dehornoy [I]. We treat the latter, more 
general case. All unproved assertions, as well as most of the proved 
ones, are from [5]. 

3.1. Garside Monoids and Groups. Let M be a monoid with can- 
cellation, x G M is an atom if x ^ 1, and x = ah for a, b G M implies 
a = 1 or b = 1. Mis atomic if M is generated by its atoms, and for 
each a G M, the maximum number of atoms in an expression of CI cLS cL 
product of atoms, denoted ||a||, exists. It follows that ||a6|| > ||a|| + ||6|| 
for all a, b G M. In particular, as 1 = 1-1, we have that || 1|| > ||1|| + ||1||, 
and thus ||1|| = 0. For a^l, ||a|| > 0. 




3. Excursion: Garside groups 
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Let M be an atomic monoid. For a, b G M, a is a left divisor of b if 
there is c 6 M such that ac = b. Similarly, a is a right divisor of b if 
there is c G M such that ca = b. a G M is a Garside element of M if 
its left divisors and right divisors coincide, and include all atoms of M. 

M is a Garside monoid if it is atomic, has a Garside element, and 
for all a, b G M, a greatest common divisor a Ab and a least common 
multiple a V b of a and 6 exist in M, both with respect to left divisibility. 

For a, b G M, the complement a \ b is the unique c G M such that 
ac = a V 6. The closure of the set of atoms under the operations of 
complement and least common multiple is the set S of simple elements 
of M. The least common multiple of all elements of S, if it exists (e.g., 
if M is finitely generated), is called the fundamental element of M and 
denoted 5. 5, if it exists, is the least Garside element of M. 

G is a Garside group if it is the group of fractions of a Garside 
monoid M. In this case, the elements of M are called the positive 
elements of G. In the remainder of this section, M is a Garside group 
with a fundamental element 5, and G is the Garside group of fractions 
of M. 

3.2. Greedy Normal Form. For x G M with x ^ 1, the simple 
element 5 A x ^ 1. Define <9(x) = (5 A x)~ 1 x. Then <9(a;) G M, and 
as x = (5 A x)d(x), \\x\\ > \\5 A x\\ + ||<9(x)|| > ||9(a;)||. Define simple 
elements si, s 2 , . . . , as follows. Set x\ = x, and for each i = 1, . . . , r, 
let Si = 5 A Xi, and x i+ i = d(xi). \\x\\ = \\xi\\ > \\x 2 \\ > ■ • ■ > 0, and 
thus there is a minimal n such that x n+ \ = 1. x — s\ ■ ■ ■ s n . Let k > 
be maximal with Sj = 5, and define pj = s^+j, i = 1, .., r, r = n — k. 
The expression 

X = 5 k pi ■ ■ - p T 

is called the greedy normal form of x. 

Consider now x G G\M. If x = <5 fc s and s G M, then jfe < 0. Take 
the maximal integer k such that x = S k s for some s G M. Fix such 
s, and let 5°pi ■ ■ ■ p r = p\ ■ ■ ■ p r be the greedy normal form of s. The 
greedy normal form of x is then again defined to be 5 k p± ■ ■ -p r . 

By the construction, we have that p i+ \ A p^5 = (pi+i ■ ■ -p r A 5) A 
p^ 1 5 = pi + i ■ ■ - p r A (5 Ap^ 1 5) = Xi+i Ap^d — 1 for all i = 1, . . . , r — 1, 
and that p r ^ 1. We say in such cases that the sequence pi, . . . ,p r is 
left-weighted. 

3.3. Rational Normal Form. Following Thurston [HI Chapter 9], De- 
hornoy and Paris define the rational normal form^oi an element x G G. 
To this end, we need the following. 



Also called mixed or symmetric normal form. 
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Theorem 8 (Dehornoy-Paris [5]). For each x G G, there is a unique 
pair (u, v) in M x M such that x = u~ l v and u A v = 1. 

Let x G G, and let u,v G M be as in Theorem [8j Let S\ ■ ■ ■ Sk, 
Pi ■ ■ -pi be the greedy normal form of u, v, respectively. The rational 
normal form of x is the expression 

X = (Sl • • -Sfe)™ 1 ^! • • -Pi). 

All Sj,pj are simple, s\ A pi = 1, and the sequences si,...,Sfc and 
Pi,. . . ,pi are both left-weighted. (The special cases where k = or 
Z = are also allowed.) 

For each a G G, define r(a) = a 5 = 5 _1 a<5. r is an inner automor- 
phism of G, and its nth iterate at a is r n (a) = a s " . t maps simple 
elements to simple elements: For each simple s, let p be such that 
sp = 5. Then p is simple, and thus there is a simple q with = 5. 
Then 

s5 = spq = Sq, 

and thus s s = q is simple. In particular, M is invariant under r. Any 
automorphism of G mapping positive elements to positive elements, 
maps atoms to atoms. It follows that r is a permutation of the atoms 
of M. 

One can obtain the rational normal form from the greedy normal 
form. To see this, we use the following. 

Lemma 9. If s,p are simple and sp is left-weighted, then so are s s p 5 
and s s p 5 . 

Proof. If ac = b are all positive, then a s±1 c 5±1 = (ac) 5±1 = b 5±1 , and 
c s G M. Thus, r ±x both map left divisors to left divisors, and there- 
fore 

(a A b) 5±1 = a 5±1 A b 5±1 
for all a, b G M. Now, assume that sp is left-weighted. Then 

(s^S A p 5±1 = (s~ l 6) s±1 A p s±1 = (a" 1 * A p) 5±1 = l s±1 = 1, 
showing that s s p s is left-weighted. □ 

Proposition 10. If s,p are simple and sp is left-weighted, then so are 
((p 5 )~ l S)((s s +1 )~ 1 5), for all integer k. 

Proof. Assume that sp is left-weighted. Then so is (p~ 1 5)((s s )~ 1 5): 

{p- l 5YH A ((s 6 )-^) = p 5 A {s-H) 5 = (p A (s-^)) 5 = I s = 1. 

By Lemma § ((/T ^((s 5 ^ 1 )^) = ((^^((s 5 )-^)) 5 " is also left- 
weighted. □ 
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Let 5 k pi ■ ■ - p r be the greedy normal form of x. Consider three pos- 
sible cases. 

Case 1: k > 0. Then 5 k pi ■ ■ ■ p r is already a rational normal form (with 
a trivial negative part). 

Case 2: k = —m < and m> r. By definition, 5~ n a = a 5 " 5~ n for all 
a and all n. Using this, we have that 

r>! ■■■ Pr = s-vr 1 ■ s~vr 2 ■■■■■ t~ x v s r r ■ ^ (m_r) = 

S m-r . (pS—yis ..... {p s- -»yi 5 . (j^-y^Y 1 . 



By Proposition [TOj the last inverted expression is left-weighted, and 
thus we have a rational form, with a trivial positive part. 

Case 3: k = —m < and m < r. In the same manner, we have that 

5~ m pi ■■■Pr = S^pf" 1 ■ 8~ l p S ^ 2 "... ■ 5 _1 pm ■ Pm+l " • • • " Pr = 
• • • • • (Pf"')- 1 * ■ (PT" 1 )- 1 *)" 1 ■ • • • ■ 



By Proposition 10, each of the bracketed expressions is left-weighted. 



Thus, this expression is in rational normal form. 

4. Several length functions on Garside groups 

Let M be a Garside monoid with fundamental element 5, and G be 
its group of quotients. 

Assumption 11. We assume that for each simple s G M , the minimal 
length £(s) of an expression of s as a product of atoms can be efficiently 
computed. 

There is always an algorithm for computing £(s): Enumerate all 
words of length 1, 2, 3, ... , until one equal to s is found. The running 
time is bounded by k 1 ^ < k^ a \ where k is the number of atoms. But 



this is in general infeasible. When Assumption 11 fails, one may use 
below any estimation of i instead of the true function. 

Fortunately, in the specific monoids in which we are interested, all 
relations are length-preserving, and thus £(s) is just the length of any 



expression of s as a product of atoms. Thus, Assumption 11 is true in 
our applications. 

Example 12 (Artin's presentation of B^). Consider the monoid 
generated by o~x, ... , o~n-i, subject to the relations 

o~iCi + iai = o-i+\o-iO~ 

aiO-j = OjOi when \i — j\ > 1. 
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The quotient group of this monoid is the braid group Bn on N strings. 
Bjf is a Garside monoid with atoms o~i, . . . , <Jn-i, and fundamental 
element 

S — (C7l • • ■ 0-jV-l)(cTl ■ • • CTAf_ 2 ) • ■ • (o- 1 a 2 )(T 1 . 

The positive elements of Bn are the words in cxi, . . . , <Jn-i not involv- 
ing inverses of generators. As the relations are length preserving, all 
expressions of a positive element as a product of atoms have the same 
length. Thus, for a G M, \\a\\ is the length of a (any) presentation of 
a. 

Elements of B^ can be identified with braids having N strings, where 
each generator er, performs a half-twist on the ith and % + 1st strings. 
This way, 5 is a half-twist of the full set of strings. The simple ele- 
ments correspond to positive braids in which any two strings cross at 
most once. A simple element is described uniquely by the permuta- 
tion it induces on the strings, and every permutation of the N strings 
corresponds to a simple element. 

Example 13 (BKL presentation of B^)- Generalizing the geometric 



interpretation in Example [12] to allow half-twists of the ith and the 
jth string for arbitrary i,j, Birman, Ko, and Lee [2] introduced the 
following presentation of the braid group B^. The monoid BKL~j^ is 
generated by a t)S , 1 < s < t < N, subject to the relations 

at,sa r , q = a r<q a t)S if (t - r)(t - q)(s - r)(s - q) > 0; 

a t,s a s,r = a t,r a t,s = a s,r a t,r if t > S > r. 

Also here, the relations are length preserving, and thus the norm is 
equal to the number of atoms in any expression of the element. 

This monoid also has the braid group Bn as its quotient group. In 



terms of Artin's presentation (Example 12), the Birman-Ko-Lee (BKL) 
generators can be expressed by 

a t ,s = K-i • • • ^+1)^(^7+1 " " • a t-i)- 
BKL+ is a Garside monoid with fundamental element 

Here too, a simple element is described uniquely by the permutation 
it induces on the strings. However, not every permutation of the n 
strings corresponds to a simple element. 

Definition 14. Let M be a Garside monoid with Garside group G. 
The greedy (respectively, rational) length of an element x G G is the 
sum of the minimal lengths of all simple elements (including the in- 
verted ones) in the greedy (respectively, rational) normal form of x. 
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Specifically, if the greedy normal form of x is S k si---s r , then the 
greedy length of x is k ■ £{5) + £(si) + • • • + £(s r ), and if the ratio- 
nal length of x is (si . . . Sfc) -1 pi ■ ■ -Pi, then the rational length of x is 
£(s l ) + ---+£(s k )+£( Pl ) + ■■■+£&). 

Proposition 15. For each a e M ; £(a s ) = £(a). 

Proof. Let n = £(a), and a = ai • • • a n with ai, . . . , a n atoms. Then 
a s = af- ■ ■ a s n . As conjugation by 5 moves atoms to atoms, £(a s ) < n = 
£{a). Similarly, if m = £(a 6 ) and a 5 = b\ - • • b m with bi, . . . ,b m atoms, 

then a = a &5 = b\ 1 ■ ■ ■ b s m 1 , and as conjugation by 5 moves atoms to 
atoms, £(a) <m = £(a s ). □ 

The presentation in the previous section of the rational normal form 
in terms of the greedy normal form gives the following. 

Corollary 16. The rational length of an element with greedy normal 
form 5~ m Si ■ ■ ■ s r , where < m < r, is 

£(s^5) + ■■■+ £{s- m l 5) + £(s m+1 ) + ■■■+ £(s r ), 

and similarly for the cases where m < or < r < m. 

Corollary 17. If the relations of M are length-preserving, then the 
rational length of an element with greedy normal form 5 k s\ ■ ■ ■ s T can 
be obtained by removing 2 J^™"^'^ £(si) from its greedy normal length. 

Proof. If the relations of M are length-preserving, we have that £(ab) = 
£(a)+£(b) for all a, be M, and thus for simples, £(5) = £{ s ) + £{s^ 5) , 
that is, £(s~ l 5) = £{5) - £(s). □ 

This shows, in particular, that the length function considered in [8j [9] 
in the case of the Artin presentation of -Bat is in fact the rational length 
for the Artin presentation of B N . This was first pointed out to us by 
Dehornoy. 

4.1. Quasi-geodesics in Garside groups. Even when the relations 
are length-preserving, it is generally not the case that an efficient algo- 
rithm for computing the minimal length £{x) is available. Even if the 
monoid relations are length-preserving, finding £{x) for x not in the 
monoid (nor in its inverse) may be a difficult task. Indeed, assuming 
P ^ NP, there is no polynomial-time algorithm computing £(x) with 
respect to the Artin presentation of Bn, for arbitrary iV and x G B>n 
|14j . Fortunately, in Garside groups £(x) can be approximated. For 
simplicity, we treat the case of length-preserving relations, so that £ is 
easy to compute on positive elements. 
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Theorem 18. Let M be a Garside monoid with length preserving rela- 
tions and fundamental element 5, and let G be its fractions group. For 
each x G G: 

(1) IfxeM, then £ G (x) = £ R (x) = £(x). 

(2) Ifxe M~ l , then £ R (x) = £{x). 

(3) £(x) < £ R (x) < £ G (x) < 2(£(5) - l)£(x). 

(4) £r(x)<(£(5)-1)£(x). 

Moreover, these bounds cannot be improved. 

Proof. (1) For x G M, each normal form gives some positive presenta- 
tion of x, and thus the corresponding length is the same as the minimal 
length. 

(2) Fix x G M~\ Then £ R (x) = ^(x' 1 ), and by (1), ^(x' 1 ) = 
£{x~ l ) = £{x). 

(3) The first inequality is clear. The second follows from Corollary 



17} We prove the third. Let 

(1) x = a\' ■ ■ ■ a% 

with m = £(x), ai, . . . , a m atoms, and ei, . . . , e m G {1, —1}. For each 
atom a, let a be the simple element such that aa = 5. Then a -1 = 5 _1 a. 
Rewrite each negative atom in the equation [T] in this form, and move 
all occurrences of 5' 1 to the left, using the relation aS 1 = 5 1 a & . 
Let n = \{i : e, = — 1}|. We obtain a presentation 

x = <T n 6i ■■■b m , 

with each 6j being (up to an application of r an integer number of 



times, which preserves length by Proposition 15) if q = 1, and 
otherwise. In particular, £{bi) = 1 if e$ = 1, and tijij) = £(S) — 1 
otherwise. 

Let S k si ■ ■ ■ Sj be the left-weighted form of b\ ■ ■ ■ b m . Then the greedy 
normal form of x is 5~ n+k si ■ ■ ■ Sj, which cannot be longer than 5~ n 5 h 
s\ • ■ ■ Sj. As expressions of positive elements all have the same length, 
the length of 5 k Si • • • Sj is exactly that of bi ■ ■ ■ b m . Thus, 

£ G (x) < n£(5) + £(h ■ ■ ■ b m ) = n£(5) + i(b x ■ ■ ■ b m ) = 
= n£(5) + n(£(5) -l) + (m-n) = 
= n(2£(5) - 2) + m < (2£(5) - l)m, 



as m < 



2 The step before last is added to emphasize that for random words, the upper 
bound is far from being optimal. Indeed, in this case we have n « m/2, which gives 
roughly half of the mentioned bound. There is an elbow room for improvements in 
the random case. 
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(4) This can be proved as in the proof of (3). Alternatively, one 
can use Charney's Theorem [3], extended to general Garside groups 
by Dehornoy and Paris |5], that the number of simple elements in 
the rational normal form is minimal amongst presentations of x as a 
product of simple elements (possibly inverted): If x G M , we can use 
(1) or (2) and there is nothing to prove. Otherwise, let x = a^ 1 • • • a^ 1 
be a minimal presentation of x. In particular each a- 1 is a (possibly 
inversed) simple element. Thus, the number n of simple elements in 
the rational form of x is at most m. As x ^ M , no simple element 
in the rational form of x is 5. It follows that £r(x) < (1(5) — l)m. 

(1) shows that the lower bounds cannot be improved. To see that the 
mentioned upper bounds cannot be improved, consider C-G( a ~ m ) an d 
£n(a m b~ m ) for m positive and distinct non-commuting atoms a, b. □ 



Theorem [18] shows that £r gives a better approximation than £q, and 
gives a theoretical motivation for the results described in [8j. Having 
both experimental [8] and theoretical evidence for the superiority of £■& 
over £q, we concentrate henceforth on the former. 

4.2. Quasi-geodesics in embedded Garside groups. We need not 
stop here, and may consider, as in the case of B^, two distinct Garside 
structures of the same group, such that one of them embeds in the 
other. Let Mi, M2 be Garside monoids with fundamental elements A, 5, 
respectively, such that each atom of Mi is also an atom of M2, and the 
group of fractions of Mi coincides with that of M 2 . Then we may take 
a length in one Garside structure as an estimation for the length in the 
other. We will denote the used structure by a superscripted index. By 
Theorem [l 



£\(x) < (£ 2 (5)-l)f(x)<(f(6)-l)£ 1 (x); 
4(x) < (£\A)-l)£\x). 

Thus, if £ 2 (5) < ^ 1 (A), £^(x) has a smaller approximation factor at its 
upper bound. 

For the lower bound, let A2 be the set of atoms of M2, and set 
a = max{£ 1 (a) : a G A 2 }. 
Then £ l (x) < a£ 2 (x), and thus 

t\x) < a£ 2 (x) < a£\(x). 



This gives the following. 
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Theorem 19. In the above notation, 
1 



£ 1 (x)<£l(x)<(f(5)-l)£ 1 (x). □ 
a 



The advantage of Theorem 19 is that the distortion factors are sym- 
metrized around the used length function £\{x). Our main application 
is the following. 

4.3. The case of the braid group. Consider the braid group as gen- 
erated by the Artin monoid B^ as well as by the BKL monoid BKL^ 



(Examples 12-13), and let A and 5 be their respective fundamental 
elements. Consider the minimal lengths i 1 for the Artin structure, and 
I 2 for the BKL structure of B^, respectively. 

£\A) = N(N - l)/2, whereas £ 2 (5) = N - 1. For each atom a tjS of 
BKLft, £ l {a t , s ) < 2{t - s - 1) + 1 = 2(t - s) - 1. In particular, 'the 
maximum a of all these lengths satisfies 

a < 2N-3. 



By Theorem 19, we have that £^, the length in BKL generators of the 
rational normal form in the BKL structure of B^, is quite symmetri- 
cally close to the minimal Artin length: 

Corollary 20. For each x G B^: 

For comparison, measuring the minimal Artin length by working 



solely with the Artin structure of B^, we only have (by Theorem 18): 



N 2 — N — 2 

£\x) < 4(x) < {£\A) - l)£\x) = £\x). 

The gain may be viewed as follows: In the latter case, we have a con- 
stant (in N) error factor from below, and quadratic error from above. 



In Corollary 20, both errors are linear, that is, the errors are sym- 
metrized by dividing by O(N) terms. 

Another matter, which we cannot prove at present, is that the lower 
bound in Corollary [20] seems to be a big underestimate in the generic 
case. It seems to us that in the generic case, the lower bound factor 
should not be much smaller than 1 (indeed, it may be greater than 1). 

In summary, we have theoretical evidence suggesting that estimating 
the minimal length in Artin generators by using rational BKL normal 
form should be better than the same estimation using rational Artin 
normal form. We now verify this with experimental results. 



RANDOM EQUATIONS IN GARSIDE GROUPS 



15 



5. Experimental results 

5.1. Initial experiments. For the Artin presentation, it is shown in 
[8] that the rational Artin length is much better than greedy Artin 
length, at least with regards to solving random equations with difficult 
parameters. Our initial experiments showed that this is also the case 
for the BKL presentation: The rational BKL length is better than 
greedy BKL length. 

In the initial phase of this project, we have compared various length 
functions induced by various alternative ways of measuring lengths of 
elements, and found out that only the rational BKL length outperforms 
the rational Artin length when the problem's parameters are getting 
difficult. The remainder of this report is therefore dedicated to the 
comparison of the these two leading candidates. 

5.2. A detailed comparison. We adopt the basic framework of [U [9j 
[8]: The equations are in a finitely generated group G = (a 1; . . . , a NG ) < 
B m , where NS denotes the number of strings and NG denotes the num- 
ber of generators of G. Each generator cij is a word in B NS obtained 
by multiplying WL (word length) independent uniformly random ele- 
ments of {<Ti, . . . , cr NS _i} ±1 . In G, we build a sentence X of length SL 
(sentence length): 

X = a ± a 2 ■ ■ ■ a SL 

(For the while, we restrict SL < ng). 

We begin with a description of a test suitable for groups G which 
are close to being free. For each i G {1, . . . , ng} and each e G {1,-1}, 
we give the generator a\ the score 

£(arX), 

sort the generators according to their scores (position 1 is for the short- 
est length), and reorder each block of identical scores by applying a 
random permutation. We then keep in a histogram the position of a\. 
We do one such computation for each sample of G and X. 

While a\<i2 • ■ ■ a Sh is not the way a random SL sentence in G was 
defined, this does not make the problem easier: We use each group G 
to produce only one such sentence. 

To partially compensate for the fact that G need not be free, we 
do the following. There could be several i G {1,...,ng} such that 
X = OjOi • • • di-idi+i ■ ■ ■ a Sh . Let COR denote the set of these a«, the 
correct first generators. After sorting all generators as above, instead of 
looking for the position of cti, we look at the lowest position an element 
of COR attained. 
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Remark 21. A more precise, but infeasible, way to construct COR would 
be to find all shortest presentations of X as a product of elements from 
{a±, . . . , a m } ±! , and let COR be the set of the first generators in these 
presentations. For the parameters we have checked, we believe that this 



should not make a big difference. The results in Section |5.6| support 
this hypothesis. 

We have also checked one case where SL > ng. In this case we 
defined 

X OjjOjj ' ' ' O'isLi 

where ij = (j — 1 mod ng) + 1 for j — 1, . . . , SL, and made the obvious 
adjustments. 

In summary, for each set of parameters (ns, wl, ng, SL) mentioned 
below, and for i being either the rational Artin or the rational BKL 
length, we have repeated the following at least 1, 000 times: Choose 
ax, . . . , a NG , compute X, compute COR, sort all generators a\ according 
to the lengths £(a~ e X), find the lowest position attained by an element 
of COR, and store this position number in the histogram. 

After dividing the numbers in the histogram by the numbers of sam- 
ples made, we obtain the distribution of the best position of a correct 
generator. In light of the intended application described in the first 
two sections, a natural measure to the effectiveness of i is the graph 
of the accumulated probability, showing for each x = 1, . . . , 2ng the 
probability that some correct generator attained a position < x. 

The results of our experiments are divided into 4 sets such that in 
each set of experiments, only one parameter varies. This shows the 
effect of that parameter on the difficulty of the problem. The varying 
parameter takes 3 possible values, so we have 3 pairs (since there are 
two length functions) of graphs. Each pair of graphs has its own line 
style, so to allow plotting all 6 graphs on the same figure. 

For all pairs, one of the graphs is always above or almost the same 
as the other. Fortunately, in all cases, it is the rational BKL length 
which is above the rational Artin length, so there is no need to supply 
this information in the figure. 

Finally, since the accumulated distributions all reach 1 for x = 2ng, 
the graphs are more interesting for the smaller values of x. We therefore 
plot only the first 35 values of x. 



5.3. When the sentence length varies. Fix NS = 64, WL = 8,NG = 
128. Figure [I] shows the accumulated probabilities for SL G {32,64,128}. 
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Figure 1. When sl varies 



5.4. When the word length varies. For NS = SL = 64, NG = 128, 
and WL G {8,16,32}, we obtain the graphs in Figure [2j The prob- 
lem gets easier when WL increases, since this way G gets closer to a 
free group (where the length approach is optimal). The remarkable 
observation is that the harder the problem becomes (by making WL 
smaller), the greater the improvement of the rational BKL length over 
the rational Artin length becomes. 

5.5. When the number of generators varies. Now set NS = SL = 

64, WL = 8, and let NG G {32,64, 128}. The graphs appear in Figure 
[3j Here too, the more difficult the problem becomes (by increasing the 
number of generators), the greater the advantage of BKL over Artin is. 
Moreover, the graphs show that doubling NG has little influence on the 
performance of the rational BKL length, whereas it seriously degrades 
the performance of the rational Artin length. 

5.6. When the number of strings varies. Finally, set WL = 8, SL = 

64, NG = 128, and let NS G {16,32,64}. Here, the problem becomes 
easier when we increase NS (Figure This is not in accordance with 
earlier results in [8j [9], and is perhaps due to the fact that we allow 
any correct generator, whereas in the earlier works we only counted a\ 
a success. Indeed, the more strings there are, the greater the chances 
are that words of length 8 commute. On the other hand, the graphs 
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show that while the BKL approach benefits a great deal when the 
number of strings is doubled, this is not quite so for the Artin approach. 
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This means that the improvement in success rates due to commuting 
generators is not substantial. 




Figure 4. When ns varies 



6. Concluding remarks and proposed future research 

Memory-length algorithms give a powerful heuristic method to solve 
arbitrary equations in noncommutative groups, and consequently a va- 
riety of otherwise intractable problems. These algorithms rely on a 
good length function on the group in question. In the past, greedy 
Artin length was used as a length function on the braid group, and it 
was realized that rational Artin length gives better results. 

In this paper, we suggested to use rational BKL length to measure 
the minimal Artin length, and gave theoretical as well as experimental 
evidence for the advantage of the new function over rational Artin 
length, at least when randomization is modelled as in pQ. 

The main drawback in our estimations is that they give much larger 
lengths than the minimal length. Some interesting directions for pos- 
sible improvements are: 

(1) As we have seen, the rational form can be computed from the 
greedy normal from by "removing" 8-s from the leading simple 
elements. We may be more greedy, and remove the available 
S-s from the (leftmost) longest simple elements in the greedy 
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normal formj^] This gives a new normal form in Bn, which has 
shorter length in terms of atoms. The resulting length function 
may be yet better than the one proposed here. 
For each x and each proposal for a length function of x, we 
can take the minimum of the lengths of several elements whose 
minimal length is not smaller than that of x, including: x, x~ l , 
x for each k = 1, . . . ,m — 1, where m is the minimal with 8 m 
central. 

Since we use left-oriented normal forms in our estimations, we 
can also try the corresponding right- oriented normal forms, and 
take the minimum. 

We can iterate conjugation by 8 and inverses (and other opera- 
tions which are not increasing the minimal length) with short- 
ening heuristics like Dehornoy handle-reduction. In [12] this 
was done only to a very limited extent. 

In [12], Dehornoy handle- reduction was applied to the greedy 
normal form to obtain an estimation of the minimal length. 
We conjecture that applying Dehornoy handle-reduction to the 
rational normal form would give better estimations. 
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